Sign up for the Testim Dev Kit beta. Sign up now

Testim Security Practices and Protocols

Overview

This paper describes our strict and rigorous approach for securing our users tests and data. Testim assumes all data is highly sensitive and always strive to use the best security practices and encryption technologies to protect it.

This paper covers network, storage, and cloud policies and describes security considerations used in our products.

As of October 2019, Testim has been certified in compliance with the AICPA’s Service Organization Controls (SOC 2 Type II). For more information about this report or any security concerns, contact your Testim representative.

Cloud general architecture

Testim backend is hosted on AWS and Azure cloud providers. Testim servers are running on top of Amazon AWS. The servers run inside an AWS Virtual Private Cloud (VPC) with an independent security group for each resource and independent subnet. Mongo, Redis, and MySQL databases aren’t exposed publicly. Communication between Testim servers and Mongo servers is done over SSL and data disks are encrypted (data encryption at rest).

Raw data (images, test locator result) are stored in Azure storage with a randomly generated GUID name. The Testim scheduler mechanism runs on a Kubernetes cluster.

Communication between Testim servers and Azure Storage and Kubernetes is encrypted and using auth.

Communication between Testim servers and Azure Storage and Kubernetes

Test recording/playback

Testim Record/Playback functionality is powered by our Google Chrome Extension. The extension is controlled from our dashboard by an authenticated user. The extension is designed to meet Google’s Content Security Policy (CSP), restricting the actions and resources that the extension requires those directly associated with Testim Record/Playback.

All recorded data is saved on our secured data service and is sent using a secure connection. All test and data generated from record/playback are only available to authenticated users through our dashboard.

Activation Policy

Our Google Chrome extension default state is set to be inactive. It never collects or tracks any of the activity performed by the user in the Chrome browser. Once the user initiates a new recording, either by the Testim editor or the Testim bug capture feature, the extension will start collecting data which represents the user’s action (click, text insertion, navigations, etc.).

The recording is always limited to the selected tab and its descendants (other tabs opened from the selected tab or those opened, recursively, from them) and never affects other browser tabs or windows.

Playback Isolation

Test playback is performed using the data generated from the recording. Testim will never initiate any action or communication other than one recorded by the user. All test data is limited to the domain which was used in the recording (base URL) and those will never be used on different domains if not strictly selected by the user when running a test.

Storage policy

Test Data

Test data and other artifacts are never stored on the browser machine. They exist in RAM on the tested browser and are sent to the client via a secure connection. When Interim data is stored as part of the test service, the storage is in a secure cloud-based location and communication is over Transport Layer Security (TLS).

Test history is stored in a secure cloud database. The access mechanism is encrypted and is therefore only accessible to the (authorized) users, via their Testim account.

Logging

All Testim products generate usage logs, which are used for analytical purposes and monitoring (error reporting). These usage logs do not contain any personal data about the user nor any browsing data generating during tests.

Screenshots and Browser Console Logs

Testim Automate & Capture collect Screenshots and browser console log data. Both are created/captured during the test sessions and subsequently displayed on the user’s dashboard.

Video

Video capture is being created during a Testim bug capture scenario record. Starting a video capture is always triggered by a user action. Testim will never auto capture a video of your browser or desktop. The user is prompted to agree to record his desktop on record start.

While recording, the user sees a continuous icon turned on to make sure they are aware of its existence and to serve as a reminder to turn it off once completed. The generated video is sent to our cloud storage over secure connection and is visible only to you and your project members through the dashboard.

Testim cloud policy

Testim Grid – Public Cloud

Testim’s Selenium-based Grid in a Public Cloud configuration is built on top of Ubuntu LTS, an operating system that’s well-known for being fast and secure, and deployed in the AWS cloud service.

Ubuntu LTS is designed to be enterprise focused, well-tested, and provides a Mandatory Access Control (MAC) system. We chose Ubuntu LTS specifically because it receives regular security patches & upgrades, so we can be confident that it remains secure over time.

Every test run in Testim Grid is performed on a new and clean browser session which holds no previous data, state or storage. Every browser session is terminated upon test completion.

All data generated locally during the test run, in the browser session, is not saved or sent anywhere in the Testim cloud or externally. The data exists only for the lifetime of the browser session.

Testim Grid – Private Cloud

Testim Selenium Grid in a Private Cloud configuration is a dedicated Testim Grid for a single customer. The grid is built on top of Ubuntu LTS and deployed as an AWS service similar to the Testim Grid – Public Cloud.

In addition to the security features mentioned in the Testim Grid – Public Cloud section above, in a Testim Grid – Private Cloud, the AWS VPC where Testim Grid is deployed is connected to the customer’s data center using a dedicated VPN connection through AWS VPN Gateway or VPC peering connection, as shown in the diagram below.

The Testim Grid can only be accessed through the VPN connection. The AWS VPC NACL is configured to communicate (send/receive traffic) with the Customer data center only. This makes Testim Grid – Private Cloud completely secure from the Internet.

Test results are saved in the Testim SaaS Production environment, all communication to the servers is over TLS.

Testim.io test Flow

Testim Cloud Services

All Testim cloud services access are over a secure connection (HTTPS) and are authenticated to verify the identity of the user accessing the service.

Network policy

To ensure that users test run are always secure, we utilize HTTPS by default. Every time you communicate with Testim, you will be redirected through a secure connection using HTTPS. It uses a Transport Layer Security (TLS), formerly known as Secure Sockets Layer (SSL), and ensures the communication between your browser and Testim servers is secure.

In some cases when rich user interaction or real time experience is required, a bidirectional and persistent connection with Testim service is needed. For that purpose, we use WebSockets to establish the connection.

WebSockets allows extensive interaction between the client browser and the servers and devices. To protect the privacy of transferred data during the testing session, we use WSS exclusively. WSS uses SSL over port 443 for transport and therefore only transmits encrypted data.

Encryption policy

Testim uses the following encryption:

  • Data-in-transit – Network between the client and server is encrypted (TLS)
  • Passwords are encrypted – Bcrypt password hashing
  • Data-at-rest: Disks are encrypted

Cloud providers

Testim uses trusted and secured cloud providers to host our customers’ information and to enable parts of its service. This includes:

1. Secured databases

2. Secured file storage

3. Secured SAAS services

Our cloud providers utilize firewalls to protect their network and use encrypt all communication to Testim services using TLS. Our providers offer an additional layer of encryption using dedicated, hardware-based cryptographic key storage.

Our cloud providers meet the following compliance certificates:

  • SOC 1/SSAE 16/ISAE 3402 (formerly SAS 70)
  • SOC2
  • SOC3
  • FISMA, DIACAP, and FedRAMP
  • DOD CSM Levels 1-5
  • PCI DSS Level 1
  • ISO 9001 / ISO 27001
  • ITAR
  • FIPS 140-2
  • MTCS Level 3

Our Cloud Providers:

1. Amazon AWS – Database & cloud computing

2. Microsoft Azure – Cloud Storage

3. Cloudinary – Image processing service

4. Coralogix – Real time log service

5. Applitools Eyes – Image comparison service

6. Mongo Atlas – Cloud service security

Penetration testing

Testim performs annual Penetration Tests:

  • Application Vulnerability Assessment (Black box and Grey box)
  • External Penetration Assessment

Testim passed the assessments with no significant security vulnerabilities (Updated: July 2019).